Podcasts
The Microsoft Threat Intelligence Podcast
Ep 52
The Microsoft Threat Intelligence Podcast 9.10.25
Ep 52 | 9.10.25

Click, Call, Compromise: Inside the Latest Loader Campaigns

Show Notes
Transcript

Sherrod DeGrippo: Welcome to "The Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step in to the shadowy realm of digital espionage, cyber crime, social engineering, fraud? Well, each week dive deep with us in to the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cyber security. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. Hello and welcome to "The Microsoft Threat Intelligence Podcast." I am Sherrod DeGrippo, director of threat intelligence strategy here at Microsoft. And I am joined by two of my favorite guests here at Microsoft. I've got Kelsey Clapp, senior researcher here at Microsoft, and Anna Seitz, senior researcher here at Microsoft as well. Kelsey, Anna, welcome to the show. Anna, welcome back. I know you're a perennial favorite on the podcast. Thanks for joining me.

Anna Seitz: Thanks for having me back.

Sherrod DeGrippo: It's good to talk to you, and I was really excited when you sent over your ideas for this episode because it's talking about a threat actor first that is doing crime, my favorite, and doing some really interesting techniques around updates and SEO. So storm 2561 is the threat actor name. What can you tell us about this threat actor?

Anna Seitz: Yeah. So this is a cyber crime financially motivated threat actor that Microsoft tracks as storm 2561. And this group has been active since May of 2025. They are known for SEO poisoning essentially, and that's what we're going to talk about today is their latest activity where they began distributing a trojanized version of something called SonicWall SSL VPN Net Extender. That's a lot of words. But basically what this is is the net extender enables remote users to securely connect and run applications on a company network.

Sherrod DeGrippo: Okay. So I want to take a quick little detour for the listeners and explain to them what SEO poisoning is because it's a very interesting technique that has been around for, I don't know, decades, as long as the search engines have been around. So here's how it works. The threat actor picks a piece of software that lots of people like such as a VPN client or any tool or browser that you might search for on any of your favorite search engines. I know that there are many that you love. They set up a fake website. The name will look totally legit such as sonicwallnetextender.com or sonicwalldownload.online. But the trick is what they do next. There's a fake website. All the keywords are right. Everything it says, stuff like "Download SonicWall VPN," "Official net extender installer," "Official client," all of these kinds of phrases that people are typically putting in a search engine they make a website that matches those search terms. They use tactics to like link farming and putting up other sites that have back links to their fake site so that increases the reputation of their fake site. So now when you -- not you. None of my listeners would ever do this. But somebody you know, maybe a coworker or a family member, goes to search something like download SonicWall Net Extender. The malicious site will pop up in the search results possibly at the top, possibly even above the actual legit page. So when you click download what you are downloading is not just the installer. You get bonus malware bundled with it. And in the case that we're going to talk about it was a piece of malware called silent route which steals your VPN credentials and sends those back to the threat actor. So this isn't like cred fish or various types of phishing where you click a link in an email. With SEO poisoning you think you're actually being smart. You're going to your favorite search engine. You're putting in your search terms yourself. You're choosing the software yourself. You saw the results on a trusted search engine. And then what you actually get, what you're actually downloading, is malicious. So this particular threat actor has been pretty smart using that. Right, Anna?

Anna Seitz: Yeah. They're very tricky. Basically this is not the first time that storm 2561 has done this. We've also seen them deliver bumblebee in a similar fashion through this SEO poisoning. And so with the delivery of bumblebee that was a significant strategic shift in targeting moving away from that mainstream software to more niche tools. And, like you said earlier, that exploits trust in specialized applications.

Sherrod DeGrippo: So something I want to mention about bumblebee which I've been tracking since before I came to Microsoft. It's been around since 2022 and it's essentially a first stage loader and it's part of those initial access pieces of malware that give a threat actor just kind of access to the machine to be able to do whatever they think is next. A lot of ransomware broker groups will use bumblebee and then sell that access as a broker. And again I want to make it clear those groups are never actually necessarily doing the ransomware. They're just selling access to machines that they have compromised with something like bumblebee. We've also seen similar things like trick bot do things like that [inaudible 00:06:13] loader. These initial access loaders are really popular because then the ransomware actors like Black Basta, Conti, and the various splinter groups from there can come in and load their malware via that initial access through bumblebee. So bumblebee to me it sounds like is an indicator that you're on the ransomware escalation path.

Anna Seitz: Absolutely. Yeah. Bumblebee is the gateway to additional payloads and if you see it it's a significant risk to any organization, especially in developer environments where there might be privileged access and a potential cyber criminal could leverage that for even broader attacks, especially in data theft.

Sherrod DeGrippo: Something I was talking about with some people recently in Vegas at those events was like these initial access malware like bumblebee it's kind of like a driver in a ride share. It doesn't actually do the attack itself, but it like picks up bad guys, drops them off inside your environment, and then just is gone. Like those initial access brokers really deal in not actually doing the crime, but facilitating it. And they've created an entire industry there.

Anna Seitz: Yeah. They totally have. And especially in the case with silent route that's the trojanized version of net extender. So silent route is capturing all that VPN authentication data that a user is entering in to the trojanized application and then it transmits that to a new IP address and so there are multiple websites that are serving up this fraudulent silent route malware. And so for SonicWall the users are reaching these websites through the SEO poisoning that we talked about and then they are typically socially engineered and prompted to download more stuff and the users are downloaded and signed with a cosign certificate and so much of the code in silent route is identical to that in the SonicWall SSL VPN Net Extender.

Sherrod DeGrippo: So a lot of these initial access pieces of malware are kind of like the gift that keeps on taking. It just keeps getting worse and worse and worse from there. So silent route is taking VPN credentials, exfiltrating them over TCP on port 8080. 8080 is a a relatively basic port. It's not your standard ports and protocols that we normally see, but 8080 is not that unusual to see traffic on so it might not ring any alarm bells to start unless you are running the absolute latest and greatest in terms of detection. So what can individuals and organizations know and do to make sure that they don't get caught up in this kind of like first hit is free malware broker situation?

Anna Seitz: Right. So you know all of these methods of tactics of these cyber criminals are relying on that trust element and it's really capitalizing on the trust element of search engines. So basically don't download anything if you don't think or don't know for sure if it's the legitimate application that you're trying to download. That's probably the most impactful advice. Make sure you're always double checking whether you're hovering over a link or however there's the main website for the SonicWall is a good example of that. So just making sure you're triple quadruple checking what you're downloading.

Sherrod DeGrippo: I think that and then making sure that any EDR that you have is in block mode. Making sure that you have on things like cloud delivered protection. And it kind of comes back to all of the security advice that we give to people which is turn on and update your security controls. That's step one is run your updates and have your security controls configured to be able to do the work to protect you. Anything else we need to know about storm 2561 and the SEO poisoning with silent route?

Anna Seitz: I think SEO poisoning is going to be something that we continue to see in like a hyper niche style, especially since bumblebee has come back on to the scene. And it just shows that it's a persistent evolution with these advanced delivery mechanisms like SEO poisoning and that's just continuing to show the significance of the ongoing threats of these types of tactics in this modern threat landscape.

Sherrod DeGrippo: Yeah. I think that's important to remember, and I think that with the ability to create and deploy websites rapid fire, especially if you're going to leverage something like AI to build those for you and then give you a back links plan and then a search engine optimization plan for any keywords that you want to use, whether those are software brands or well known consumer brands, electronics brands, tech things, anything like that, I could see SEO poisoning is absolutely a gateway to everything from these fake updates that include malware to tricking people in to purchasing digital assets like cryptocurrencies and NFTs that aren't necessarily legitimate. All kinds of different things that, hey, if you could get traffic to a website and trick people in to doing things there what would you come up with? The threat actors are already on that brainstorm channel and are coming up with really creative things. Okay. Let's move on to a new interesting type of malware called ReedBed. Kelsey, what do we need to know about ReedBed? I see that it is abusing some of our favorite applications and modules such as quick assist streamconnect and net support manager. What should we know here?

Kelsey Clapp: Storm 1811 is a financially motivated threat actor. Their goal is to make money through ransomware. So nothing political here. It is just strictly they are trying to make money. They've developed this loader malware called ReedBed. They use it once they've already gotten in to a network. So think of it like a bridge. It gives them interactive control to spread laterally with tools like PSExec and Windows remote shell. And then they can deploy things like crackbot, cobalt strike, and then eventually ransomware like Black Basta.

Sherrod DeGrippo: So something that I found really interesting about the ReedBed campaign, storm 1811 is doing their initial access not just sending phish emails. They are actually making calls to employees at these organizations leveraging things like Microsoft Teams, pretending to be an IT help desk which is pretty bold, and then starting with some kind of setup like maybe they send an email, maybe they call. That initial email is saying something like, "Your mailbox is having issues. Your computer has a problem. IT is going to call you." So there's like a two step setup and then they say, "We noticed problems. We're going to help you fix it." Because the employee now trusts the caller thinking they're IT the threat actor gets the employee unknowingly to install a legitimate tool like screen connect which are real IT tools. I want to be clear. These are legitimate remote management and monitoring tools that help IT teams manage assets in their organization. Companies use them every day. So the employee installs this and doesn't think about it being an issue. These are legitimate tools. You can go search them and see they're legitimate tools. But once that's in place the attacker now has the ability to become interactive and then get remote access to that machine. From there they drop in the ReedBed trojaned DLL. So it's a long attack chain.

Kelsey Clapp: Absolutely. It's actually -- and, like you said, it's incredibly -- for as simple as some of those processes may seem, that's relatively sophisticated to actually try to emulate what an IT support team would actually be providing. And I can absolutely understand why people would find those things pretty legitimate feeling. I feel like any time that you have people reaching out through Microsoft Teams and impersonating help desk that is it's a strategy that's very effective.

Sherrod DeGrippo: It is effective, and I think when you look at this attack chain you can see how it has a significant amount of resource overhead for the threat actor, but learning about this particular attack, knowing this TTP of sending an email and then following it up with a Teams call, pretending to be IT help desk, that's a lot of overhead now. But it's highly likely that these threat actors could leverage something like AI or even just basic scripting to scale that operation and do more and more and more of it. I think what's interesting too here is that once that trojanized DLL is loaded that host now is calling back to the threat actor owned command and control getting more instructions and then getting things like cobalt strike, crackbot, and other secondary payloads. So this is like a very long attack chain.

Kelsey Clapp: It is. And keeping those lines of communication with the C2 is how this is going to be continually effective. So.

Sherrod DeGrippo: I think too what's interesting attack chains in my career have gotten longer. Like the steps to draw out an attack chain. If you're -- for those of you listening you've made an attack chain in PowerPoint before. Come on. Let's admit it. We've all made those little boxes with the rounded corners and the arrows pointing to like each step and then oh if it has high privilege then it does this, if it has low privilege it does that. I map out attack chains all the time on paper quote on PowerPoint. And it's getting harder and harder to fit all of the steps of an attack chain in to those slides these days. When I first started working ransomware in 2015 they were literally attaching -- those threat actor groups were literally attaching Lockee to an email and sending that out literally a million times a day. And so you would open an email. It would have an attachment. You would click on the attachment and you had ransomware. But because of the security industry's focus on getting better and better at detecting things, getting better at secure by default, secure by design, improving code, minimizing vulnerabilities, better configurations, quicker updates, the threat actors have had to move to these longer attack chains and honestly I just think it's going to get longer.

Kelsey Clapp: Absolutely. And we're going to have to find new ways of cutting off those entry points. So it means changing what defenders are doing. So if you don't need quick assist block it. It does. It complicates the amount of steps that defenders need to do in order to prepare.

Sherrod DeGrippo: And I think a lot of times we talk about these concepts like least privilege or need to know or a variety of those types of concepts that we typically apply to humans. I think we have to remember to apply those also to permissions for machines and apps of like you said if you don't need quick assist just block it. Give it the least privilege that it could possibly need which is not -- we just I think have become so focused on getting through friction that people really aren't stopping to think. And if you're in a security role you're a knowledge worker. I really urge you to take time to sit and think about things that are happening in front of you, about clicking on that okay button, about installing the thing that the person has called you to tell you to install, about checking somebody's identity, making them authenticate to you whether that's via a technical means or asking them questions on the phone to make sure they are who they say they are. The faster you go, the higher the likelihood that you could get in to trouble from a security perspective.

Kelsey Clapp: Yeah. And in the case of ransomware attacks like these when maybe a cybersecurity professional isn't the target making sure that there is a lot more education for everyone who interacts with their IT professionals at the company where they work so that way they're super familiar with what that process and procedures look like before you start a communication with your IT team.

Sherrod DeGrippo: And I think it's really obvious and evident too from the fact that these threat actors have the audacity -- like they're not hiding behind an email. They are literally calling you on Teams. Like being a full on fake IT professional which is very bold when you think about it, but it works because people want to trust the help desk. It works because someone's right in your face going, "Hey, hey, hey. Let's get this taken care of." All of these things are only being done by the threat actors because they work. Time and time again we know that threat actors do not go the extra mile. They go exactly to the finish line and they stop. So I think that's a really important thing to keep in mind about threat actor psychology. And I really think that this applies generally to nation sponsored threat, espionage, whatever it may be, crime, across threat actors. Once they achieve their objective they are complete. They are done. So they're not going to make things more difficult on themselves unless it is absolutely necessary. And they only make things more difficult on themselves when we impose that cost on them as users and security professionals. And honestly sending an email and then making a Teams call isn't a whole lot of friction. It isn't a big cost that we're imposing on these threat actors. So if you're answering these calls you're part of the problem. That was Sherrod's social engineering gullibility rant for the day. But it's like social engineering has gone full circle. So it used to be phone calls pretending to be tech support. Now it's basically the same playbook, but it's delivered over newer collaboration tools like video conferencing software.

Kelsey Clapp: Right. And in this particular instance the fact that if you all of a sudden unexpectedly your environment became more challenging and uncomfortable it should set off some red flags. Like in this case like there are many cases where this started with email bombing and there was a flood to the victim's inbox with spam. If all of a sudden something like that happens to you where an IT professional would be reaching out to you or sending you an email saying "Hey, we've noticed something's the matter" there should be some flags going off. If all of a sudden your environment is super confusing or complicated and it doesn't necessarily tie back to your own actions that should really be an opportunity for you to initiate talking with your IT team instead of just trusting that oh something's broken now. Whoever contacts me is the actual expert. But again that's their MO is trying to manipulate your trust.

Sherrod DeGrippo: 100%. And I think that the ability to be effective at social engineering it requires three things. Urgency. Emotion. And habit. And in this particular ReedBed attack it 100% leverages the urgency. They're telling you something's wrong with your computer. They're telling you this is important. It needs to be taken care of now. Habit. Doing things that IT says. Getting your computer handled, updated, fixed, whatever. And then the emotion aspect of fear that something's wrong, worried that you're not doing a good job. Interested in what this fake IT person has to say. So whenever you feel that you're in an elevated level of urgency, emotion, or habit that is really when threat actors can shift you over in to a mindset that is not your natural state and it is a mindset where you will make decisions that you wouldn't normally make. Again this goes back to my plea to our global knowledge worker base to say "You are a knowledge worker. You need to stop and think." If your business is your brain you need to slow down your brain and make smart decisions. So I think to wrap up on one of these type of loaders like ReedBed it's dangerous because it doesn't just drop a piece of malware and stop. It remains interactive. Threat actors now have a direct line in to that machine, in to that network, in to that organization. And they can load whatever tools that they want. So you've essentially trojanized yourself at the request of a phone call from a stranger. The kinds of things that we were told as 12 year olds not to ever do it sounds like the threat actors are having that happen to adults in professional jobs. Kelsey, anything else that we should mention about ReedBed before we move on?

Kelsey Clapp: Sure. So worth noting is the fact that ReedBed has actually evolved over time. So they are getting better with their stealth features. So food for thought. This is not something that is just stable shelf life, it's going to last forever, and an 1811's going to continue to use them. They are making it better. So the newest iterations have RC4 encryption, more registry tricks. They're careful about masquerading to look like trusted system files. So each iteration is in fact designed to be more effective at hiding. So worth noting that this is not shelf life stable. It is something that's continuing to evolve because it's effective. So we want to stop it. Block the pathways that this uses. Things like quick assist if you do not need it, and enforcing strong controls on remote monitoring tools, is the best way to prevent ReedBed from being a problem for you.

Sherrod DeGrippo: So I think what's interesting about silent route and ReedBed as well as this threat actor 2561 is that in both cases they are playing on your trust. So in the first case of storm 2561 doing SEO poisoning they set up a website. They wait for you to walk in to it. They wait for you to put in careful search engine terms that they then manipulate where you land, but then with ReedBed it's kind of the same thing, but in the reverse direction. The attacker is reaching out to you putting the humanity and the trust piece there again. So in the one case you're trusting in your search results. And then in the other case you're trusting in the IT help desk that you think is calling you. In the end let's be clear. Both of these results are the same. Ransomware credential theft. Data exfiltration. It doesn't matter if it starts with poisoned SEO results or it starts with a Teams call. These threat actors know how to play on your trust and it goes to me back to that old trust but verify phrase which I hate. No. No trust, but verify. Verify and verify. That's it. That really is the only option that we can take when it comes to security is verify and verify. You always verify first. So I think that we're seeing on the threat landscape threat actors making smart choices, getting things done, and being effective. Kelsey Clapp and Anna Seitz, security researchers at Microsoft. Thank you so much for joining me. This was a really interesting deep dive in to ReedBed, silent route, and storm 2561. Thanks for joining me on the podcast.

Kelsey Clapp: Thanks for having us.

Sherrod DeGrippo: Thanks for listening to "The Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft